Applying security policies based on endpoint and user attributes

This applications claims the benefit of U.S. Provisional Application Ser. No. 63/230,232, entitled “METHODS FOR APPLYING SECURITY POLICIES BASED ON ENDPOINT AND USER ATTRIBUTES AND DEVICES THEREOF” and filed Aug. 6, 2021, the entire contents of which is incorporated by reference herein.

The disclosure relates generally to computer networks and, more specifically, to managing access to computer networks.

Commercial premises or sites, such as offices, hospitals, airports, stadiums, or retail outlets, often install complex wireless network systems, including a network of wireless access points (APs), throughout the premises to provide wireless network services to one or more wireless client devices (or simply, “clients”). APs are physical, electronic devices that enable other devices to wirelessly connect to a wired network using various wireless networking protocols and technologies, such as wireless local area networking protocols conforming to one or more of the IEEE 802.11 standards (i.e., “WiFi”), Bluetooth/Bluetooth Low Energy (BLE), mesh networking protocols such as ZigBee or other wireless networking technologies.

Many different types of wireless client devices, such as laptop computers, smartphones, tablets, wearable devices, appliances, and Internet of Things (IoT) devices, incorporate wireless communication technology and can be configured to connect to wireless access points when the device is in range of a compatible AP. In order to gain access to a wireless network, a wireless client device may first need to authenticate to the AP. Authentication may occur via a handshake exchange between the wireless client device, the AP, and an Authentication, Authorization, and Accounting (AAA) server controlling access at the AP.

In general, this disclosure describes one or more techniques for applying security policies using attributes of endpoint devices and users of endpoint devices that are obtained by a network access control (NAC) system. In some aspects, the network access control (NAC) system can be configured to authenticate client devices to a network when the client device requests to connect to the network. As part of a connection and/or authentication process, the NAC system can obtain attributes about the client device and the user of the client device. The NAC system can provide the attributes to a security enforcer, such as a firewall, which can utilize the client device attributes and the user attributes to determine a security policy to apply to network traffic to and from the client device. The techniques disclosed herein facilitate the development of security policies that may be based on a network administrator's intent rather than lower level rules that may be limited to rules based on network address or user roles. As an example, a network administrator can express a security policy “if the user is in the accounting department and is logging in on a corporate laptop, allow access to accounting servers and email servers” along with a rule “if the user is in the accounting department and logging in on a smartphone, allow access to email servers.” Thus, a user in the accounting department may access both accounting servers and email servers when logging in to the network on a corporate laptop that the network administrator can be reasonably assured has appropriate security software. However, the user may only access email servers and not the accounting servers when logging in to the network via a personal device such as a smartphone that may not be as secure as the corporate laptop.

The techniques of this disclosure provide one or more technical advantages and practical applications. As one example, existing systems typically express security policies in terms of network addresses, such as Internet Protocol (IP) addresses or Media Access Control (MAC) addresses. However, this requires the network administrator know the network address of the user. This can be difficult for several reasons. First, network addresses in wireless and wired networks are typically provided via a Dynamic Host Configuration Protocol. In such cases, the network address for a user's client device may vary from one network login to another. Additionally, it is common for users to login to a network using personal devices. For both reasons, it can be difficult, if not impossible, for a network administrator to know the network address of a user's device prior to the device being used on a network. It is difficult for a network administrator to formulate a security policy based on network address when the network address may change from login to login, or when the client device is a user's personal device. The techniques disclosed herein provide an advantage in that it is not necessary for a network administrator to know specific network addresses of a device that may login to the network. Instead, the network administrator can determine a security policy based on higher level attributes of both the user and the device used by the user to login to the network.

In one example, the disclosure is directed to a network access control system that includes a memory storing one or more security policies for an enterprise network; and one or more processors coupled to the memory and configured to: receive a request to connect to the enterprise network from a client device of a user, in response to the receipt of the request, determine one or more user attributes associated with the user and one or more endpoint attributes of the client device, and provide the user attributes and the endpoint attributes to a security enforcer configured to: identify a security policy of the one or more security policies based on the one or more user attributes and the one or more endpoint attributes, and configure an access control module of a network device of the enterprise network in accordance with the security policy.

In another example, the disclosure is directed to a method that includes receiving, by a processing circuitry configured to execute a network access controller, a request to connect to an enterprise network from a client device of a user; in response to the receiving the request, determining, by the network access controller, one or more user attributes associated with the user and one or more endpoint attributes of the client device; and providing, by the network access controller, the one or more user attributes and the one or more endpoint attributes to a security enforcer configured to: apply a security policy based on the one or more user attributes and the one or more endpoint attributes, and configure a network device of the enterprise network in accordance with the security policy.

In further example, the disclosure is directed to a network system that includes a security enforcer comprising processing circuitry configured to enforce a security policy with respect to a plurality of network devices; and a network access control system comprising a memory and one or more processors coupled to the memory, the network access control module configured to: receive a request to connect to the enterprise network from a client device of a user, in response to the receipt of the request, determine one or more user attributes associated with the user and one or more endpoint attributes of the client device, and provide the user attributes and the endpoint attributes to the security enforcer, wherein the security enforcer is configured to: identify a security policy of the one or more security policies based on the one or more user attributes and the one or more endpoint attributes, and configure an access control module of a network device of the enterprise network in accordance with the security policy.

The details of one or more examples of the techniques of this disclosure are set forth in the accompanying drawings and the description below. Other features, objects, and advantages of the techniques will be apparent from the description and drawings, and from the claims.

is a block diagram of an example network systemincluding network access control (NAC) systemsA-K and network management system (NMS), in accordance with one or more techniques of this disclosure. Example network systemincludes a plurality sitesA-N at which a network service provider manages one or more wireless networksA-N, respectively. Although ineach siteA-N is shown as including a single wireless networkA-N, respectively, in some examples, each siteA-N may include multiple wireless networks, and the disclosure is not limited in this respect.

Each siteA-N includes a plurality of network access server (NAS) devicesA-N, such as access points (APs), switches, and routers. NAS devices may include any network infrastructure devices capable of authenticating and authorizing client devices to access an enterprise network. For example, siteA includes a plurality of APsA-throughA-M, a switchA, and a routerA. Similarly, siteN includes a plurality of APsN-throughN-M, a switchN, and a routerN. Each APmay be any type of wireless access point, including, but not limited to, a commercial or enterprise AP, a router, or any other device that is connected to a wired network and is capable of providing wireless network access to client devices within the site. In some examples, each of APsA-throughA-M at siteA may be connected to one or both of switchA and routerA. Similarly, each of APsN-throughN-M at siteN may be connected to one or both of switchN and routerN.

In the example of, siteA also includes an on-premises firewallA, which may be a firewall service running on a router, such as routerA, configured to apply security policies to data traffic from client devices at siteA to devices or systems within the enterprise network. The illustrated example ofalso includes a cloud-based firewallB connected to NAS devicesN at siteN. Cloud-based firewallB may be a firewall service running on a physical or virtual router configured to apply security policies to data traffic from client devices at siteN to devices or systems within the enterprise network.

Each siteA-N also includes a plurality of client devices, otherwise known as user equipment devices (UEs), referred to generally as UEs or client devices, representing various wireless-enabled devices within each site. For example, a plurality of client devicesA-throughA-K are currently located at siteA. Similarly, a plurality of client devicesN-throughN-K are currently located at siteN. Each client devicemay be any type of wireless client device, including, but not limited to, a mobile device such as a smart phone, tablet or laptop computer, a personal digital assistant (PDA), a wireless terminal, a smart watch, smart ring, or other wearable device. Client devicesmay also include wired client-side devices, e.g., IoT devices such as printers, security devices, environmental sensors, or any other device connected to the wired network and configured to communicate over one or more wireless networks.

In order to provide wireless network services to client devicesand/or communicate over the wireless networks, APsand the other wired client-side devices at sitesare connected, either directly or indirectly, to one or more network devices (e.g., switches, routers, gateways, or the like) via physical cables, e.g., Ethernet cables. Although illustrated inas if each siteincludes a single switch and a single router, in other examples, each sitemay include more or fewer switches and/or routers. In addition, two or more switches at a site may be connected to each other and/or connected to two or more routers, e.g., via a mesh or partial mesh topology in a hub-and-spoke architecture. In some examples, interconnected switchesand routerscomprise wired local area networks (LANs) at siteshosting wireless networks.

Example network systemalso includes various networking components for providing networking services within the wired network including, as examples, NAC systemsincluding or providing access to Authentication, Authorization and Accounting (AAA) servers for authenticating users and/or client devices, an active directory serverand/or a RADIUS serverfor managing permissions and access to network resources, a Dynamic Host Configuration Protocol (DHCP) serverfor dynamically assigning network addresses (e.g., IP addresses) to client devicesupon authentication, a Domain Name System (DNS) serverfor resolving domain names into network addresses, a plurality of serversA-X (collectively “servers”) (e.g., web servers, databases servers, file servers and the like), and NMS. As shown in, the various devices and systems of networkare coupled together via one or more network(s), e.g., the Internet and/or an enterprise intranet.

In the example of, NMSis a cloud-based computing platform that manages wireless networksA-N at one or more of sitesA-N. As further described herein, NMSprovides an integrated suite of management tools and implements various techniques of this disclosure. In general, NMSmay provide a cloud-based platform for wireless network data acquisition, monitoring, activity logging, reporting, predictive analytics, network anomaly identification, and alert generation. In some examples, NMSoutputs notifications, such as alerts, alarms, graphical indicators on dashboards, log messages, text/SMS messages, email messages, and the like, and/or recommendations regarding wireless network issues to a site or network administrator (“admin”) interacting with and/or operating admin device. In some examples, NMSoperates in response to configuration input received from the administrator interacting with and/or operating admin device.

The administrator and admin devicemay comprise IT personnel and an administrator computing device associated with one or more of sites. Admin devicemay be implemented as any suitable device for presenting output and/or accepting user input. For instance, admin devicemay include a display. Admin devicemay be a computing system, such as a mobile or non-mobile computing device operated by a user and/or by the administrator. Admin devicemay, for example, represent a workstation, a laptop or notebook computer, a desktop computer, a tablet computer, or any other computing device that may be operated by a user and/or present a user interface in accordance with one or more aspects of the present disclosure. Admin devicemay be physically separate from and/or in a different location than NMSsuch that admin devicemay communicate with NMSvia networkor other means of communication.

In some examples, one or more of NAS devices, e.g., APs, switches, and routers, may connect to edge devicesA-N via physical cables, e.g., Ethernet cables. Edge devicescomprise cloud-managed, wireless local area network (LAN) controllers. Each of edge devicesmay comprise an on-premises device at a sitethat is in communication with NMSto extend certain microservices from NMSto the on-premises NAS deviceswhile using NMSand its distributed software architecture for scalable and resilient operations, management, troubleshooting, and analytics.

Each one of the network devices of network system, e.g., NAC systems, servers,,,and/or, firewalls, APs, switches, routers, client devices, edge devices, and any other servers or devices attached to or forming part of network system, may include a system log or an error log module wherein each one of these network devices records the status of the network device including normal operational status and error conditions. Throughout this disclosure, one or more of the network devices of network system, e.g., servers,,,and/or, firewalls, APs, switches, routers, and client devices, may be considered “third-party” network devices when owned by and/or associated with a different entity than NMSsuch that NMSdoes not directly receive, collect, or otherwise have access to the recorded status and other data of the third-party network devices. In some examples, edge devicesmay provide a proxy through which the recorded status and other data of the third-party network devices may be reported to NMS.

In the example of, each of NAC systemscomprises a cloud-based network access control service at multiple, geographically distributed points of presence. Typically, network access control functionality is offered by on-premises appliances that are limited by processing power and memory as well as maintenance and upgrade issues. Offering cloud-based network access control services avoids the limitations and improves network administration. A centralized, cloud-based deployment of network access control, however, introduces issues with latency and failures that may block client devices from network access.

In accordance with the disclosed techniques, NAC systemsprovide multiple points of presence or NAC clouds at several geographic regions. NMSis configured to manage NAC configuration, including access policies for enterprise networks, and push the appropriate NAC configuration data or files to the respective NAC cloudsA-K. In this way, NAC systemsprovide the same benefits as a centralized, cloud-based network access control service with lower latency and high availability.

NAC systemsprovide a way of authenticating client devicesto access wireless networksof branch or campus enterprise networks. NAC systemsmay each include or provide access to an Authentication, Authorization, and Accounting (AAA) server, e.g., RADIUS server, to authenticate client devicesprior to providing access to the enterprise network via the NAS devices. In some examples, NAC systemsmay enable certificate-based authentication of client devices or enable interaction with user directory services, e.g., an active directory at AD server, to authenticate the client devices.

NAC systemsmay identify client devicesand provide client deviceswith the appropriate authorizations or access policies based on their identities, e.g., by assigning the client devices to certain virtual local area networks (VLANs), applying certain access control lists (ACLs), directing the client devices to certain registration portals, or the like. NAC systemsmay identify client devicesby analyzing network behavior of the client devices, referred to as fingerprinting. Fingerprint information for a given client device includes one or more attributes associated with the client device, such as attributes associated with the client device itself, attributes associated with a user of the client device, and/or attributes associated with network connectivity of the client device. In some examples, fingerprinting client devices may be performed based on media access control (MAC) addresses, DHCP options used to request IP addresses, link layer discovery protocol (LLDP) packets, Hypertext Transfer Protocol (HTTP) user agent information, location information, DNS information, and/or device type and operating system information.

Client devicesmay include multiple different categories of devices with respect to a given enterprise, such as trusted enterprise devices, bring-your-own-device (BYOD) devices, IoT devices, and guest devices. NAC systemmay be configured to subject each of the different categories of devices to different types of tracking, different types of authorization, and different levels of access privileges. In some examples, after a client device gains access to the enterprise network, NAC systemsmay monitor activities of the client device to identify security concerns and, in response, re-assign the client device to a quarantine VLAN or another less privileged VLAN to restrict access of the client device.

NMSis configured to operate according to an artificial intelligence/machine-learning-based computing platform providing comprehensive automation, insight, and assurance (WiFi Assurance, Wired Assurance and WAN assurance) spanning from “client,” e.g., client devicesconnected to wireless networksand wired local area networks (LANs) at sitesto “cloud,” e.g., cloud-based application services that may be hosted by computing resources within data centers.

As described herein, NMSprovides an integrated suite of management tools and implements various techniques of this disclosure. In general, NMSmay provide a cloud-based platform for wireless network data acquisition, monitoring, activity logging, reporting, predictive analytics, network anomaly identification, and alert generation. For example, NMSmay be configured to proactively monitor and adaptively configure networkso as to provide self-driving capabilities.

In some examples, AI-driven NMSalso provides configuration management, monitoring, and automated oversight of software defined wide-area networks (SD-WANs), which operate as an intermediate network communicatively coupling wireless networksand wired LANs at sitesto data centers and application services. In general, SD-WANs provide seamless, secure, traffic-engineered connectivity between “spoke” routers (e.g., routers) of the wired LANs hosting wireless networksto “hub” routers further up the cloud stack toward the cloud-based application services. SD-WANs often operate and manage an overlay network on an underlying physical Wide-Area Network (WAN), which provides connectivity to geographically separate customer networks. In other words, SD-WANs extend Software-Defined Networking (SDN) capabilities to a WAN and allow network(s) to decouple underlying physical network infrastructure from virtualized network infrastructure and applications such that the networks may be configured and managed in a flexible and scalable manner.

In some examples, AI-driven NMSmay enable intent-based configuration and management of network system, including enabling construction, presentation, and execution of intent-driven workflows for configuring and managing devices associated with wireless networks, wired LAN networks, and/or SD-WANs. For example, declarative requirements express a desired configuration of network components without specifying an exact native device configuration and control flow. By utilizing declarative requirements, what should be accomplished may be specified rather than how it should be accomplished. Declarative requirements may be contrasted with imperative instructions that describe the exact device configuration syntax and control flow to achieve the configuration. By utilizing declarative requirements rather than imperative instructions, a user and/or user system is relieved of the burden of determining the exact device configurations required to achieve a desired result of the user/system. For example, it is often difficult and burdensome to specify and manage exact imperative instructions to configure each device of a network when various different types of devices from different vendors are utilized. The types and kinds of devices of the network may dynamically change as new devices are added and device failures occur. Managing various different types of devices from different vendors with different configuration protocols, syntax, and software versions to configure a cohesive network of devices is often difficult to achieve. Thus, by only requiring a user/system to specify declarative requirements that specify a desired result applicable across various different types of devices, management and configuration of the network devices becomes more efficient. Further example details and techniques of an intent-based network management system are described in U.S. Pat. No. 10,756,983, entitled “Intent-based Analytics,” and U.S. Pat. No. 10,992,543, entitled “Automatically generating an intent-based network model of an existing computer network,” each of which is hereby incorporated by reference.

NAC systemsmay apply an access policy in response to network connection requests received from client devices. Other types of policies, e.g., security policies, routing policies, quality of service (QoS) policies, or other configuration information, may be applied to network traffic by certain network devices, e.g., on-premises firewallsA, cloud-based firewallsB, switches, routers, access points, or servers, within network system.

Generally speaking, a network administrator may define a security policythat specifies network traffic that is to be allowed or denied on a network. For example, APs, switches, routers, edge devices, and/or firewallsmay be configured to apply security policies to admit or block data traffic along data paths from client devicesto devices or systems within the enterprise network. In some aspects, a security policy may be provided to firewalls, APs, switches, routers, edge devices, which can then interpret the security policy directly to admit or block traffic in accordance with the security policy. In some aspects, a security policy may be interpreted by one network device (e.g., a firewall), which can then configure APs, switches, routers, and/or edge devicesin accordance with the security policy. For example, firewallmay interpret security policyto generate access control lists (ACLs), and then provide the generated ACLs to APs, switches, routers, and/or edge devices, that implement (e.g., enforce) the security policy.

Typically, firewalls, and other network devices, apply security policies to data traffic based on a source IP address or a hostname associated with the client device from which the data traffic is sent. For example, in the context of network systems, a policy or access control list typically includes rules that are applied based on network addresses (e.g., IP addresses and/or port numbers). As an example, a security policy may include rules that specify that a device having a first IP address is allowed to (or blocked from) communicating with a device having a second IP address.

In accordance with the techniques of this disclosure, when a client deviceof a userrequests to connect to network system, NAC systemscan obtain user attributesassociated with userand endpoint attributesof client deviceutilized by the user to connect to the network. In some aspects, user attributescan include the name of the user, groups to which the user is a member of, home-office-location of the user, grade, department, organization, role (manager, staff, contractor, etc.) or other attributes associated with user. In some aspects, endpoint attributescan include vendor, make, model, operating system (OS) version, WiFi service set identifier (SSID), media access control (MAC) address, Internet Protocol (IP) address, time-of-connection, communication pattern, network port, location, and/or a label associated with the client device. As an example, a label may be used to identify a client device as part of a group of client devices. The communication pattern may be a communication pattern that is determined from data analyzed by NMSregarding the operation of client device.

NAC systemscan provide user attributesand endpoint attributesto a security enforcer such as a firewall. Firewallcan interpret security policythat includes rules that reflect a network administrator's intent rather than low-level network addresses. For example, the rules of security policymay be based on user attributes and endpoint device attributes rather than low-level network addresses. As an example, a rule may be expressed as “if department=accounting and manager=yes, permit access to accounting_printers.” An additional rule may be expressed as “if department=accounting and device=corporate laptop, permit access to accounting_printers.” Thus, if useris a member of the accounting department, and they are a manager or are using a corporate issued laptop, the security policy allows the user to access printers in the accounting department. However, if the user is in the accounting department, but is not a manager and using a personal tablet device to connect to the network, the user may not be permitted to access the accounting printers.

In some aspects, firewallgenerates access control databased on user attributes, endpoint attributesand security policy. In some aspects, access control datamay be ACLs that include IP addresses that are determined according to the attributes, endpoint attributesand security policy. Using the example above, firewallmay generate access control entries (ACEs) that correspond to the IP address of client deviceused by userand the IP addresses of network resources that the user is allowed to access according to the rules of security policy. In some aspects, firewallcan enforce security policyusing the access control data. In some aspects, firewallcan provide access control datato network devices that are in the path of client deviceand other network devices of network system.

In the example shown in, userof client deviceA-requests to connect to networkA. In response, NAC systemA obtains user attributesand obtains endpoint attributes. In some aspects, user attributesmay be obtained from active directory serverand/or RADIUS server. In some aspects, endpoint attributesmay be obtained from client deviceA-and/or NMS. NAC systemA provides user attributesand endpoint attributesto firewallA. FirewallA applies security policyto user attributesand endpoint attributesto generate access control data. For example, firewallmay generate ACEs for and ACL, where the ACEs include rules based on the IP addresses of client deviceA-and network resources of network systemthat the user is allowed to access using client deviceA-. As noted above, in some aspects, firewalluses access control datato enforce security policy. In some aspects firewallmay, in addition or instead, provide access control datato other network devices in addition to. For example, firewallmay provide access control datato an AP, a switch, or a router.

Firewallmay provide access control datato a network device in various ways. In some examples. firewallmay add the ACEs associated with a client deviceand to an existing ACL, and provide the complete ACL to the network device. In cases where a network device supports multiple ACLs, firewallmay provide a new ACL to the network device that is added to the set of existing ACLs on the device.

In some aspects, when a client devicedisconnects from the network (e.g., ends a network session), NAC systemmay inform firewallof the disconnection. Firewallmay then remove ACEs associated with the client devicefrom an ACL. For example, firewallmay remove ACEs associated with the client device from an ACL of a network device, and provide the updated ACL to the network device. In cases where the network device supports multiple ACLs, firewallmay delete the ACL associated with client devicefrom the network device. Removing ACEs and/or ACLs from a network device can be desirable because some network devices such as APs, switchesor routersmay have limited memory resources for storing ACLs or other data. Removing the ACEs and/or ACLs can free memory resources on the network device for other ACLs or for other purposes.

The techniques of this disclosure provide one or more technical advantages and practical applications. For example, the techniques facilitate use of a security policythat has rules that can include attributes beyond the network addresses used in existing systems. For example, rules can incorporate user attributes and client device attributes that are not currently supported in existing system. The ability to include such attributes allows a network administrator to configure rules that reflect the intent of the administrator. For example, the network administrator can formulate rules using attributes that describe groups of devices and user rather than individual devices. Firewallcan use the intent-based rules to automatically generate access control data. As a result, a network administrator is relieved of the burden of configuring ACEs for individual client devices.

Further, the intent-based rules facilitated by the techniques of the disclosure do not have to be updated when a network address of a client device changes. As described above, network addresses for client devicesmay be obtained from DHCP server, and may change from network session to network session. Thus, a rule in existing system that relies on network addresses may not work when the network address changes. Using the techniques of the disclosure, a client devicecan be identified regardless of the network address in use at any particular time.

Moreover, the techniques of the disclosure provide an advantage over existing system in that ACLs may be removed when no longer needed. For example, when a client devicedisconnects from the network, the ACE and/or ACLs associated with the client device may be removed from firewalls, switches, APsand/or routers, thereby freeing memory resources for other ACLs or other purposes.

Although the techniques of the present disclosure are described in this example as performed by NAC systems, NMS, and/or firewall, techniques described herein may be performed by any other computing device(s), system(s), and/or server(s), and that the disclosure is not limited in this respect. For example, one or more computing device(s) configured to execute the functionality of the techniques of this disclosure may reside in a dedicated server or be included in any other server in addition to or other than NAC systems, NMS, or firewall, or may be distributed throughout network, and may or may not form a part of NAS systems, NMSand/or firewall.

is a block diagram illustrating further example details of the network system of. In this example,illustrates logical connectionsA-N,A-N, andA-K, between NAS devicesat sites, NAC systems, and NMS. In addition,illustrates NMSconfigured to operate according to an AI-based computing platform to provide configuration and management of one or more of NAC systemsand NAS devicesat sitesvia the logical connections.

In operation, NMSobserves, collects and/or receives network data, which may take the form of data extracted from messages, counters, and statistics, for example, from one or more of APs, switches, routers, edge devices, NAC systems, and/or other nodes within network. NMSprovides a management plane for network, including management of enterprise-specific configuration informationfor one or more of NAS devicesat sitesand NAC systems. Each of the one or more NAS devicesand NAC systemsmay have a secure connection with NMS, e.g., a RadSec (RADIUS over Transport Layer Security (TLS)) tunnel or another encrypted tunnel. Each of the NAS devicesand NAC systemsmay download the appropriate enterprise-specific configuration informationfrom NMSand enforce the configuration. In some scenarios, one or more of the NAS devicesmay be a third-party device or otherwise not support establishment of a secure connection directly with NMS. In these scenarios, edge devicesmay provide proxies through which the NAS devicesmay connect to NMS.

In accordance with one specific implementation, a computing device is part of NMS. In accordance with other implementations, NMSmay comprise one or more computing devices, dedicated servers, virtual machines, containers, services, or other forms of environments for performing the techniques described herein. Similarly, computational resources and components implementing virtual network assistant (VNA)and/or NAC controller, may be part of the NMS, may execute on other servers or execution environments, or may be distributed to nodes within network(e.g., routers, switches, controllers, gateways, and the like).

In some examples, NMSmonitors network data, e.g., one or more service level expectation (SLE) metrics, received from each siteA-N, and manages network resources, such as the one or more of APs, switches, routers, and edge devicesat each site, to deliver a high-quality wireless experience to end users, IoT devices and clients at the site. In other examples, NMSmonitors network datareceived from NAC systemsand manages enterprise-specific configuration informationfor NAC systemsto enable unconstrained network access control services for client devicesat siteswith low latency and high availability.

As illustrated in, NMSmay include VNAthat implements an event processing platform for providing real-time insights and simplified troubleshooting for IT operations, and that automatically takes corrective action or provides recommendations to proactively address network issues. VNAmay, for example, include an event processing platform configured to process hundreds or thousands of concurrent streams of network datafrom sensors and/or agents associated with APs, switches, routers, edge devices, NAC systems, and/or other nodes within network. For example, VNAof NMSmay include an underlying analytics and network error identification engine and alerting system in accordance with various examples described herein. The underlying analytics engine of VNAmay apply historical data and models to the inbound event streams to compute assertions, such as identified anomalies or predicted occurrences of events constituting network error conditions. Further, VNAmay provide real-time alerting and reporting to notify a site or network administrator via admin deviceof any predicted events, anomalies, trends, and may perform root cause analysis and automated or assisted error remediation. In some examples, VNAof NMSmay apply machine learning techniques to identify the root cause of error conditions detected or predicted from the streams of network data. If the root cause may be automatically resolved, VNAmay invoke one or more corrective actions to correct the root cause of the error condition, thus automatically improving the underlying SLE metrics and also automatically improving the user experience.

Further example details of operations implemented by the VNAof NMSare described in U.S. Pat. No. 9,832,082, issued Nov. 28, 2017, and entitled “Monitoring Wireless Access Point Events,” U.S. Publication No. US 2021/0306201, published Sep. 30, 2021, and entitled “Network System Fault Resolution Using a Machine Learning Model,” U.S. Pat. No. 10,985,969, issued Apr. 20, 2021, and entitled “Systems and Methods for a Virtual Network Assistant,” U.S. Pat. No. 10,958,585, issued Mar. 23, 2021, and entitled “Methods and Apparatus for Facilitating Fault Detection and/or Predictive Fault Detection,” U.S. Pat. No. 10,958,537, issued Mar. 23, 2021, and entitled “Method for Spatio-Temporal Modeling,” and U.S. Pat. No. 10,862,742, issued Dec. 8, 2020, and entitled “Method for Conveying AP Error Codes Over BLE Advertisements,” all of which are incorporated herein by reference in their entirety.

In addition, as illustrated in, NMSmay include a NAC controllerthat implements a NAC configuration platform that provides a user interface to create and assign access policies for client devicesof enterprise wireless networks, and provides the appropriate enterprise-specific configuration informationto the respective NAC cloudsA-K. NMSmay have a secure connectionA-K, e.g., a RadSec tunnel or another encrypted tunnel, with each of NAC systemsA-K, respectively. Through secure connections, NAC controllermay receive network data, e.g., NAC event data, from each of NAC systemsand each of NAC systemsmay download the appropriate configuration informationfrom NMS. In some examples, NAC controllermay log or map which enterprise networks are served by which of NAC systems. In addition, NAC controllermay monitor NAC systemsto identify failures of primary NAC systems and manage failovers to standby NAC systems.

NAC systemsprovide network access control services in a control plane for one or more of NAS devicesat sites. In operation, NAC systemsauthenticate client devicesto access enterprise wireless networksand may perform fingerprinting to identify the client devicesand apply authorizations or access polices to the client devicesbased on the identities. NAC systemsinclude multiple, geographically distributed points of presence. For example, NAC systemA may comprise a first cloud-based system positioned within a first geographic region, e.g., U.S. East, NAC systemB (not shown) may comprise a second cloud-based system positioned within a second geographic region, e.g., U.S. West, and NAC systemK may comprise a kcloud-based system positioned within a kgeographic region, e.g., China.